IAM permissions boundary support

Does Serverless support an easy way to add an IAM permission boundary to the lambda execution roles? I’d love to be able to specify it in the provider similar to iamRoleStatements or on a per function level. Currently I’m having to create my execution role manually in the Resources and link it to each function do to the fact that I’m required to provide a permission boundary on my roles.

1 Like

Like you, I would like to be able to add my PermissionBoundary property directly in my iamRoleStatements but, as a temporary workaround, I have simply extended my IAM Role in the Resources section.

resources:
  Resources:
    MyFunctionIamRoleLambdaExecution:
        Properties:
            PermissionsBoundary: !Sub "arn:aws:iam::#{AWS::AccountId}:policy/my_policy_name"

MyFunctionIamRoleLambdaExecution is automatically created by Serverless Framework for my function MyFunction.

I would also like this feature. I think adding another element to the iamRoleStatements would be easiest. Writing a plugin to do this is also possible rather than adding an extension for every function in the Resources section. Thanks for the example.

The complete example would be this

service:
  name: one5
provider:
  name: aws
  runtime: python3.8
  region: us-west-2

functions:
  importFPGroupDataToGA3:
    handler: handler.hello1
    role:
      Fn::GetAtt:
        - myDefaultRole
        - Arn

resources:
  Resources:
    myDefaultRole:
      Type: 'AWS::IAM::Role'
      Properties:
        RoleName: myrole
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - lambda.amazonaws.com
              Action: 'sts:AssumeRole'
  extensions:
    myDefaultRole:
      Properties:
        PermissionsBoundary: 'arn:aws:iam::xxxxxxxxxxxx:policy/PermissionBoundary'